Skip to content
Permalink
Browse files

Disable the X-Requested-With header to avoid preflighting remote POST…

… requests. Fixes #4601.
  • Loading branch information
John Resig John Resig
John Resig authored and John Resig committed Nov 25, 2009
1 parent 0f6e9a8 commit a7678267d848fcef8775c8b9f4fa3e507b8cc5f4
Showing with 7 additions and 5 deletions.
  1. +7 −5 src/ajax.js
@@ -275,13 +275,12 @@ jQuery.extend({
}

// Matches an absolute URL, and saves the domain
var parts = rurl.exec( s.url );
var parts = rurl.exec( s.url ),
remote = parts && (parts[1] && parts[1] !== location.protocol || parts[2] !== location.host);

// If we're requesting a remote document
// and trying to load JSON or Script with a GET
if ( s.dataType === "script" && type === "GET" && parts
&& ( parts[1] && parts[1] !== location.protocol || parts[2] !== location.host )) {

if ( s.dataType === "script" && type === "GET" && remote ) {
var head = document.getElementsByTagName("head")[0] || document.documentElement;
var script = document.createElement("script");
script.src = s.url;
@@ -350,7 +349,10 @@ jQuery.extend({
}

// Set header so the called script knows that it's an XMLHttpRequest
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
// Only send the header if it's not a remote XHR
if ( !remote ) {
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
}

// Set the Accepts header for the server, depending on the dataType
xhr.setRequestHeader("Accept", s.dataType && s.accepts[ s.dataType ] ?

0 comments on commit a767826

Please sign in to comment.
You can’t perform that action at this time.